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(57) ABSTRACT 

A method for secure data communication with a mobile 
machine in which a data packet is received from the mobile 
machine having a particular network address. A pool of 
secure addresses is established and a data structure is created 
to hold address translation associations. Each association is 
between a particular network address and a particular one of 
the secure addresses. If the received data packet is a secure 
data packet an association between the received data pack- 
et's network address and a secure address in the data 
structure is identified and the data packet's network address 
is translated to the' associated secure address before forward- 
ing the data packet on to higher network protocol layers. 
When the received data packet is not secure it is passed it on 
without address translation to the higher network protocol 
layers. For outgoing packets addressed to a secure address, 
the secure address is translated to a real network address 
(e.g., IPv4 or IPv6 addresses) and the packet payload is 
encrypted. Outgoing packets that are addressed directly to 
real network addresses pass through in a conventional 
manner. 

24 Claims, 5 Drawing Sheets 
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SECURE COMMUNICATION WITH MOBILE at some other time (e.g., the host running Windows^™) and 

HOSTS Unix at different times). Moreover, two mobile hosts with 

different security properties may appear under the same 
dynamically assigned IP address at different times. Io these 

BACKGROUND OF THE INVENTION 5 instances merely relying on authorization based on the 

I?- m incoming packet's IP address is insufficient. The gateway 

1. Held of the Invention machine must be able to authenticate or verify that data 
The present invention relates, in general, to secure received from a remote system truly originated from that 

communications, and, more particularly, to secure data com- system. This situation must be correctly handled by the 

munications with a mobile computer over an insecure net- 10 gateway to prevent, for example, hijacking of TCP connec- 

work. lionSi 

2. Relevant Background p or example, when an outside machine using securelP 
A typical computing environment includes a secure disconnects from the Internet, thereby relinquishing its IP 

network, such as a local area network (LAN) or wide area address, it can be replaced by a second machine transmitting 

network (WAN) that can only be accessed by computers that 15 in the clear that has been assigned the first machine's IP 

are authorized by the network administrator to have access. address. From the secure network's perspective, the incom- 

These networks are non-public and so security can be ing TCP packets may have come from either a second 

readily controlled with conventional password management machine using the first machine's IP address, or from the 

techniques. Mobile users can access the network through, first machine that is now sending in the clear. The second 

for example, dial-up connections through server or gateway 20 machine will not be able to break the securelP security, but 

that verifies the user's identity and access privileges. it may be able to send data in the clear that will reach the 

An important use of the Internet and other public data internal network. Desirably, the gateway must detect the 

communication networks is the ability to exchange data difference between these two situations, and hinder the 

between mobile computers and an organization's secure second machine's attempts to send packets on behalf of the 

internal network. However, the public network is not secure. 25 old machine. At the same time, the gateway must not allow 

An internal secure network uses a gateway machine or me fallback to clear text to be abused by an enemy to force 

"firewall" to couple the internal network to the external all communication to go on in the clear. However, the 

insecure network. A firewall is a hardware and/or software incoming IP packets do not identify any machine-specific 

system designed to prevent unauthorized access to or from information that would enable the gateway to distinguish 

a private network. A firewall examines all packets entering 30 between the first machine and the second machine using the 

and exiting the private network and blocks those that fail to same IP address. 

meet specified security criteria. In an Internet environment, Many proposed approaches to mobile user security 

the gateway performs security operations on the IP layer by require the mobile user to specially configure the security 

using, for example SunScreen™ SKIP, (SunScreen is a software on the mobile machine. However, this makes the 

trademark of Sun Microsystems, Inc.). SKIP is a public key 35 security software more difficult to install and use which is 

certificate -based key-management scheme which provides undesirable. To encourage widespread use of securelP on a 

key-management for Internet protocols. Data communica- variety of machines, it is desirable that the software devices 

tions using a secure gateway in this manner are referred to install out of the box, without significant effort to specially 

as "secure IP". configure the software. 

All external hosts must be able to communicate with the Prior solutions, including SKIP and similar IP security 

internal network using secure IP at any time, but must also protocols, offer support for mobile hosts by either assigning 

be allowed to reach the internal network while transmitting them a permanent ID (called a master key ID or MKID in 

in the clear. This is useful if some services on the internal SKIP) that is stored in the mobile machine and is transferred 

network must be accessible by the general public (e.g., web 45 with every IP packet. Alternatively, a new security associa- 

server or software download access) and by privileged users tion may be established each time a new mobile IP address 

such as employees which may have additional rights on is acquired. Although these solutions prevent an intruder 

those services, e.g., downloading proprietary information. with a hijacked IP address from reading encrypted packets, 

Because of this, a gateway device cannot always provide they do not solve the problem of address hijacking so long 

authorization control simply by filtering out transmissions 5Q as the gateway allows the mobile host to send data in the 

received in the clear. clear. In these cases, the intruder may set the MKID field to 

Prior secure IP systems provide authorization control zero t0 force communication in the clear while the security 

using access control lists (ACLs) that list each IP network association is maintained by the gateway, 

address (or other unique network identifier) that is autho- Moreover, this approach does not allow machines on the 

rized to access a particular resource on the internal network. 55 internal network to find out whether the incoming link is 

In general, a gateway can place a static IP address on its ACL secure. The gateway holds the list of authorized addresses 

and authorize communication from that address to access and performs the encryption/decryption functions. This 

services on the internal secure network. While this system information is not transmitted or shared with the internal 

addresses some problems related to access control, it does network devices. Hence, the internal network machines 

not authenticate that the received data packet truly origi- 60 cannot tell from examining the header of a received packet 

nated from a particular machine. whether the packet was from a securelP link or received in 

A particular difficulty arises in that hosts coupled to the lne c * ear - It would be useful for the internal devices to be 

external network may be both regular "static" Internet nodes aw fre of this information so that they could take intelligent 

(i.e., having a permanently assigned IP address) or mobile action in response to receiving a packet with unexpected 

nodes (i.e., nodes having a dynamically assigned IP 65 security properties. 

address). It is also possible for a host with a static address Another approach uses "firewalls" which give the capa- 

to be in secure mode at some time, and be in a clear mode bility to do address translation for topology hiding. TTiis 
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binders non-authorized user's efforts to find out about the 
structure and potentially vulnerable points of the internal 
network. Although this approach makes address hijacking 
less effective, it does not prevent its occurrence. Another 
solution relies on control messages transmitted from mobile 
hosts to establish IP tunnels. These tunnels provide a mecha- 
nism needed to redirect data addressed to the mobile host to 
a dynamically assigned IP address. Tunnels hinder address 
hijacking by encrypting packet header information as well as 
the packet payload, but are difficult to set up and require 
complex security management mechanisms. 

The Internet Engineering Task Force (IETF) working 
groups for mobile IP have focused on one potential solution 
for the support of mobile hosts in the current Internet 
structure. For this, mobile hosts get assigned a "home IP 
address", and a temporary routing address that is used to 
address traffic. In the gateway from the mobile network to 
the traditional Internet, address translation and rerouting 
may be performed, such that the mobile node appears to be 
reachable on its home address at all times. This approach can 
result in a security risk if a request message was sent by a 
hosts that had hijacked the dynamic IP address without 
cryptographically verifying the authenticity of such mes- 
sages. In order to avoid this risk, all request messages 
transmitted by a mobile host to the secure network must be 
authenticated using a message authentication code such as, 
for example, the keyed-MD5 algorithm. 

A need exists for a security method and system that 
support mobile hosts in a public network that solves the 
security risks created by dynamic IP address assignment to 
prevent an external machine from impersonating a secured 
machine, allow internal machines to detect whether the 
outside machine is coming in using a secured connection, 
and enable the system to be easily configured and used such 
that it can bootstrap with little or no user intervention. 
Desirably, the security method and system can be imple- 
mented without access control lists, timers, or other complex 
security management systems such that it is compatible with 
load balancing mechanisms. 

SUMMARY OF THE INVENTION 

Briefly stated, the present invention involves a method for 
secure data communication between an inside network with 
a mobile machine in which a data packet is received from the 
mobile machine having a particular network address. A pool 
of secure addresses is established and a data structure is 
created to hold address translation associations. Each asso- 
ciation is between a particular network address and a par- 
ticular one of the secure addresses. If the received data 
packet is a secure data packet an association between the 
received data packet's network address and a secure address 
in the data structure is identified and the data packet's 
network address is translated to the associated secure 
address before forwarding the data packet on to higher 
network protocol layers. When the received data packet is 
not secure it is passed it on without address translation to the 
higher network protocol layers. 

When packets are received by the gateway from the inside 
network, and are addressed to a secure address, then the 
secure address is replaced by the corresponding network 
address and the packet is encrypted and authenticated. As 
used herein, the term "securing a packet" means authenti- 
cation and/or encryption — and not necessarily encryption 
only. In this manner, bidirectional secure communications 
are supported. 

BRIEF DESCRIPTION OF THE DRAWINGS 

FIG. 1 illustrates a computer equipment programmed to 
implement the method and system in accordance with the 
present invention; 
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FIG. 2 illustrates a network computer environment imple- 
menting the method and system in accordance with the 
present invention; 

FIG. 3 shows in block diagram form essential components 
5 of a gateway machine in accordance with the present inven- 
tion; 

FIG. 4 shows an example address translation data struc- 
ture in accordance with the present invention; 

FIG. 5 shows a flow diagram of steps for processing 
10 inbound data in accordance with an implementation of the 
method and system of the present invention; and 

FIG. 6 shows a flow diagram of steps implemented to 
process outbound data in accordance with the present inven- 
tion. 

15 DETAILED DESCRIPTION OF THE 

PREFERRED EMBODIMENTS 

The present invention is described in terms of a method 
and apparatus implemented in conjunction with the SKIP 

2Q secure Internet protocol system. However, it should be 
understood that the essential teachings of the present inven- 
tion may be applied to other environments where network 
addresses are globally unique (i.e., only one user is able to 
use a given address at any given time) and where security is 

25 performed at the ISO/OSI network layer. 

The present invention employs a combination of dynami- 
cally enabled address translation together with packet 
encryption and authentication to achieve a secure data 
connection between an "inside" secure network and a 

30 mobile host. Optionally, a dynamically filled access control 
list (ACL) is used in combination with the address transla- 
tion. Both unsigned Diffie-Hellman (uDH) keys and X.509 
certificates may be used to identify mobile hosts. This 
prevents an insecure machine from hijacking the identity of 

35 a secure machine and allows machines on an internal secure 
network to detect whether an outside host is using a secure 
connection. 

A policy to accept uDH certificates without further analy- 
sis enables the system to be easily accessed by users in a 

40 secure manner, as the administrator does not have to authen- 
ticate the unsigned keys for them to be used. Although uDH 
certificates are not by themselves associated with a particu- 
lar machine, and therefore are less secure than X.509 
certificates, the present invention augments the uDH key 

45 with an assigned securelP address. The unsigned uDH 
certificates can be upgraded at a later time to X.509 certifi- 
cates by a system administrator with or without user 
involvement. This makes the system easy to use without 
significant user involvement and readily upgradable to pro- 

50 vide improved security using X.509 certificates, or the 
equivalent. 

FIG. 1 illustrates a computer system 100 configured to 
implement the method and apparatus in accordance with the 
present invention. A gateway computer 102 receives data 

55 communications in the form of data packets from mobile 
host computer 104. Gateway computer 102 comprises a 
processing unit 106 for executing program instructions that 
is coupled through one or more system busses to a user 
interface 108. User interface 108 includes available devices 

60 to display information to a user (e.g., a CRT or LCD display 
and the like) as well as devices to accept information form 
the user (e.g., a keyboard, mouse, and the like). A memory 
unit 110 (e.g., RAM, ROM, PROM and the like) stores data 
and instructions for program execution. All or part of 

65 memory unit U0 may be integrated with processor 106. 
Storage unit 112 comprises mass storage devices (e.g., 
hard disks, CDROM, network drives and the like). Network 
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adapter 114 converts data from the system bus to and from Secure network 107 accesses insecure network 105 

a format suitable for transmission across public network through a gateway machine 102. Gateway machine 102 has 

105. Network adapter 114 also supports communication a secure port coupled to secure network 107 (also called a 

with an internal secure network 107. A system may include secure subnet 107) and an insecure port coupled to insecure 

more than one network adapter 114 to provide a desired level 5 network 105 through, for example, service provider machine 

and type of network connectivity. Network adapter 114 is 202. Each device coupled to secure network 107 such as 

equivalently substituted by a modem or other analog, digital server 203, workstation 205, workstation 206 and gateway 

or mixed analog-digital adapter for a communications net- machine 102 has a unique network address used to route 

work. information within the secure network 107. Optional hub 

Mobile host 104 typically comprises a similar group of 1Q 207 provides interconnection between machines coupled to 

components including a processor 116, a user interface U8 t secure network 107. Gateway machine 102 serves to pass 

and host memory 120. Mobile host storage 122, in a par- data in the form of data packets having a header portion and 

ticular example, stores programs and data that are transmit- a pay load portion, between machines coupled to secure 

ted via modem 124 through public network 105 to gateway network 107 and machines coupled to public network 105. 

machine 102. In operation, mobile host 104 accesses secure The data packets passing through gateway machine 102 

network 107 through gateway machine 102. may be secure, such as SKIP packets, or may be in the clear. 

It should be understood that a typical environment will For general applicability it is necessary that gateway 
support any number of other devices including workstations, machine 102 pass insecure packets without impediments 
servers, personal computers, and peripheral devices coupled while appropriately analyzing secure packets and perform- 
to internal network 107. Each device coupled to internal 20 ing the required encryption/decryption function in analysis 
network 107 is identified by a locally unique network device 303. Data packets include header information that 
address. Any or all of such devices may be accessible via includes a destination address identifier indicating a unique 
public network 105 using gateway machine 102. Also, a network address, either on the secure subnet or the insecure 
typical environment will include a plurality of mobile hosts subnet, that is intended to receive the data packet. Other 
similar to mobile host 104 as well as static hosts that are 25 fields may include key information used for encryption/ 
coupled to public network 105 using permanent network decryption and authentication purposes, 
addresses. Each device coupled to public network 105 is Gateway machine 102 includes a packet analysis device 
identified by a globally unique network address. Devices 301, shown in FIG. 3, that monitors addresses of inbound 
coupled to internal network 107 can access devices coupled and outbound packets to machines outside of secure network 
to public network 105 through gateway machine 102. 30 107. The present invention operates by selectively routing 

FIG. 2 shows an exemplary communication environment packets based upon whether the as-received packet header 

such as an Internet environment wherein public network 105 includes an address that is stored in an entry of address 

is accessed via service provider (e.g., Internet service pro- translation unit 302. Address translation unit 302 includes a 

viders (ISP) or online service provider) through machines data structure holding address pairs associating a "securelP" 

201 and 202. Service provider machines 201 and 202 are 35 address with a real network address (e.g., an IPv4 or IPv6 

essentially programmed general purpose computers similar address) as shown in FIG. 4. Optionally, each entry may 

to that shown in FIG. 1 that are optimized to provide a include a timestamp or other state data or metadata useful for 

plurality of connections to mobile user machines 204 and particular applications. As the term is used herein, a 

214 as well as static users such as secure network 107. "securelF' address is an address that can be formatted 

Service provider machines accept connection requests and 40 similarly to an IP address, but that is assigned by the 

authenticate user's access rights to public network 105. gateway machine 102 dynamically once the gateway 

In a typical environment, some users have permanently machine has authorized a particular mobile host. Gateway 

assigned (i.e., static) network addresses while others have machine 102 has a pool of securelP addresses (e.g. a 

network addresses that are dynamically assigned by a ser- reserved class c subnet or the 10.* net or an equivalent) from, 

vice provider machine 201 or 202 from a pool of network 45 which it can assign the securelP address to a particular 

addressed "owned" by the service provider. In this manner, address pair. They arc chosen and controlled by the network 

the service provider can reassign and reuse network address administrator operating gateway machine 102. Anybody 

space and need only own sufficient network address space to inside the gateway receiving such an address can be assured 

support the maximum number of concurrent user's. Of that the link on the outside is not in the clear. Desirably, two 

particular interest in the understanding of the present inven- 50 separate address spaces are used for the securelP address, 

tion is that mobile user 204 may be assigned a network one for uDH certificates, one for X.509 type certificates, 

address by service provider machine 201. After mobile user In general the present invention operates by assigning a 

204 logs off, that same network address may be dynamically secuxeIP:network address pair in address translation unit 302 

assigned to mobile user 214. based upon the key material of the received packet when a 

Ordinarily mobile users 204 and 214 do not control the 55 security association is established. The key material is a 

dynamic assignment of IP addresses and so cannot control value assigned to the entity holding the key such as the 

which address will be received. However, an intruder using, "master key" used in SKIP, as well as a uDH key or x.509 

for example, mobile user machine 214 can use several key discussed above. It is presumed for purposes of the 

techniques including collusion with service provider present invention that each key is unique (i.e., no two mobile 

machine 201 to increase the likelihood of receiving an IP 60 hosts use the same key at the same time). In SKIP, the master 

address previously in use (or even currently in use) by key is associated with a Master Key ID (MKID) that is 

mobile machine 204. As described in greater detail transmitted in the SKIP header of a data packet, 

hereinafter, if mobile machine 204 has established a security The address pair is maintained by updating the network 

association with secure network 107, the intruding mobile address whenever a secure packet is received with the same 

machine 214 can gain access privileges that it is not autho- 65 key material as an existing address pair. That is to say, if 

rized to possess. The present invention operates to prevent Host A is sending secure packets from IP address "1.2.3.4", 

such unauthorized access enabled by address hijacking. address translation unit 302 creates an address pair having 
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an assigned securelP address (e.g., "7.7.7.7") associated 
with the network IP address 1.2.3.4. When Host A later 
connects through a different IP address (e.g., 1.2.3.5) using 
the same key material (e.g., an MKID associated with Host 
A), the address pair is updated from "7.7.7.7:1.2.3.4" to 5 
"7.7.7.7:1.2.3,5". In this manner, the address pairs main- 
tained by address translation unit 302 always include the 
network IP address from which the last secure packet was 
received from Host A. The address pair is the only state 
information that needs to be kept, although other state 
information may be included for particular applications. 

When Host A stops sending secure packets the address 
pair entry may eventually be removed from the address 
translation device 302 indicating that a security association 
with this IP address no longer exists. Host A can reestablish 
a security association at any time using the key material 
known to host A, however, an intruder that does not know 
this key material cannot establish a security association from 
the same IP address. 

It should be noted that while the address pair created by 
address translation unit 302 includes the network address of 
the received packet, that information does not authorize 
access from any machine sending packets from that IP 
address. Unlike prior ACL-type security techniques, the 
address pair in address translation unit 302 serves to map 
packets addressed to the securelP address to the associated 
network address, but does not directly affect encryption/ 
decryption. If an address pair exists in address translation 
device 302 it is known to have come from a machine that 
was sending secure packets and so encyrption and authen- 
tication must occur using encrypt/decrypt unit 303. In this 
manner, gateway machine 102 maintains a security associa- 
tion in which the network IP address follows the unique key 
material that is associated with a particular machine in 
contrast to prior implementations in which the network IP 
address was permanently or semi-permanently authorized 
once a security association was established. 

The securelP address is a unique address assigned to a 
particular machine, or more accurately, to the key held by a 
particular machine. When the gateway machine receiving a 
data packet has an address pair for a particular key the 
sending machine is said to be "known" to the gateway 
machine. As described below, the address pairs in address 
translation unit 302 are dynamically assigned and main- 
tained. 

In operation, as a data packet is received the protocol field 
of the IP header (or the equivalent) for each incoming packet 
is examined to determine if the packet is secure. For 
example, SKIP packets are identified by a "57" in the 
protocol field. Packets that are received in the clear are 
passed on transparently to higher protocol layers in a con- 
ventional manner. Similarly, outbound packets that are 
received by gateway 102 in the clear are passed on trans- 
parently. In accordance with the present invention, data 
packets sent in the clear do not require address translation 
and so will not have an address pair entry unless secure 
packets were earlier received from the same IP address. 

When an incoming packet is identified as secure (e.g., by 
having an appropriate value in the protocol field of the 
packet's IP header), the key is extracted from each packet by 
analysis device 301. The gateway machine 102 next deter- 
mines if the extracted key is known to the gateway machine. 
Analysis device 301 uses the key to find or determine the 
corresponding securelP address. If an address pair does not 
already exist the public key of the sending machine is 
retrieved from the sending machine itself, or from database 
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307. Database 307 may be a local database or a remote 
central depository using certificate discovery protocol 
(CDP). 

Optionally, an access control list 304 may be used in 
conjunction with the address translation mechanism in 
accordance with the present invention to verify that the 
outside machine is an authorized user by checking whether 
the outside machine's address exists in access control list 
(ACL) 304. The use of an ACL, however, will carry with it 
10 some of the inherent limitations of ACL technology such as 
limiting load balancing performance. 

Gateway machine 102 assigns a SecurelP address to each 
machine that sends secure data packets. All devices within 
secure network 107 use this locally unique address as the 
15 destination address for packets intended for delivery to a 
secure mobile machine 204 or 214. For secure packets, 
address translation device 302 (e.g., a lookup table, address 
cache, content addressable memory or the like) translates the 
locally unique secure address to the appropriate real network 
20 address. Analysis device 301 also executes encryption/ 
decryption unit 303 to encrypt outgoing packets and decrypt 
incoming packets. The data packet is sent on with the 
translated address. 
25 Gateway machine 102 may maintain database 307 for 
storing key certificates such as unsigned Diffie-Hellman 
keys (uDH) and X.509 key certificates. Database 307 main- 
tains key information and historical security association 
information for outside machines (e.g., mobile machine 204 
3Q and 214). Database 307 also maintains a secure locally 
unique address, such as a securelP address, associated with 
each key information entry. In this manner, database 307 
enables a prior security association to be reestablished 
whenever a secure data packet is received for which key 
35 information already exists in database 307. 

In prior implementations address translation for outgoing 
data packets was performed indefinitely on the assumption 
that the translation remained valid for so long as packets 
continue to be received from and/or sent to the specified 
40 globally unique address. However, this allowed the secure 
network to continue sending data packets to a network 
address even after another machine had taken over that 
address. In accordance with the present invention, address 
translation device 302 is not used for packets that are 
45 received in the clear, without regard to the IP address from 
which the insecure packet was received. Hence, even though 
a packet is received from an IP address for which a security 
association exits, it is not remapped to the securelP address 
when the packet is received in the clear. 
50 Devices on the inside network communicate with the 
secure mobile host using the securelP address stored in 
address translation unit 302. Address translation unit 302 
translates the securelP address to a real network address 
(e.g., IPv4 or IPv6 addresses). For all traffic addressed to a 
55 securelP address the packet's data or payload of the packet 
is encrypted. Packets that are addressed directly to real 
network addresses pass through in a conventional manner. 

In a preferred implementation gateway machine 102 
continues to enable address translation to a particular IP 
60 address for outgoing packets for a limited time after gateway 
102 stops receiving secure packets from that IP address. 
Because any packets addressed to that securelP address will 
be encrypted using the legitimate host's key information, 
there is no difficulty in continuing to send out data to the IP 
65 address even if that IP address has been hijacked as the 
intruder will not have the legitimate host's key information. 
If the legitimate host begins to send secure packets again, the 
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timer 306 can be reset (if it has not expired) and address stamp with each entry in address translation unit 302. 

translation will continue. If the preselected time has already As soon as a sufficiently long time (e.g., one hour) has 

expired, the security association must be reverified and a passed without receiving any incoming secure packets 

new address translation entry set up. This enables a legiti- from that network address, then the address translation 

mate host to send both secure and clear packets with 5 entry for that host is removed or invalidated from the 

minimal overhead required to maintain the security associa- address translation table. In this case the address trans- 

tl0n - lation mechanism includes devices for monitoring the 

Operation of the method and system in accordance with timestamps on each entry and expiring, invalidating or 

the present invention are conveniently understood in terms removing old entries 

of processing incoming and outgoing data packets. Essential 1Q 3) , n a lhifd ^ a limef 306 ^ started wheQ a ket ^ 

steps are described m reference to the flow diagrams shown [q ^ deaf from afl Ip ad(Jress fof wmch 

S£ it 77, l" C t ' g T y ma ^P e *ry * ^dress translation unit 302. Timer 306 

102 will determine if the data packet is secure (e.g., a SKIP ../ , .. . ... .. , 

packet) or received in the clear Packets that are received in W J 1 cause addres ? lranslat '° n f ° r . th * m^hme s 

the clear are passed on transparently to higher network address l ° ex P ,re after a P"«J«led lime has elapsed 

levels for routing to specific devices within secure network 15 ™ ta subsequent secure packets come are received 

107. For packets that are received in the clear, address b ° m l }f Mme ™chine address, timer 306 is reset so 

translation is not performed. ,hat address translatl0n not expire. In this manner, 

When the received data packet is secure (i.e., the machine J e P ,^ D ! ^T^f""? T ^ f * 8 

sending the packet is using SKIP) it will include key do S , Umer ,ha ! addres ? .^lafon .unless a secure 

information that enables gateway 102 to determine its public 20 P a f et 18 rece,ved wrthm a hme ^ nod defined * ,mer 

key values. This key information typically is not the key 0t . , . 4 , , . t 

itself as transmitting a key with each packet adds an unac- . S * e P s ' DV .? lved V? % P ^ pr0CeSSl ?8 are shown 

ceptable amount of overhead and leads to an undesirable f 1 6 * ot P ac * e * addressed l ? a * cureIP address , m 

amount of exposure for the key. Instead, the key information raDS a 10 , n i d ' v,ce ^ . se ^ ureIP add [ css » *™f« 

typically comprises an key identification such as the SKIP 25 ^fH^J 0 ^ real, dynamicaUy assigned network address 

KTeT¥^/\Wti^ • f 4 * *\*. * * i ** i . • held by the outside machine 202 or 204. In the case of SKIP 

NSID/MKID information that is relatively compact. ' . 4 ,, A . A . „ ™™. 

„_ . ..... secure packets, address translation is set up from this NSID/ 

Hie process in accordance with the present invention MKID address on the outside to the securelP address on the 

determines * the key is known to the gateway machine It whenever 

an network IP address is translated to a 

the key was recently used ,t may be available in a cache, 3Q sccmjsp addfess ^ has been iousl ^ the older 

register, or local memory (not shown). If not, the public key entry is removed 

corresponding to the sending machine's address is obtained Fof aU mcomin ^ addresses m 

frnpM f a 1 ^ f CatC f° V K 1 Pr0t °^. to the secureIP «"««» decryption performed, and the data 

( ? } v ™ £ 1 7S an ! <°no ? ^ M ^, P acket * are sent on to internal network 107. All incoming 

and a X.509 key are available, me x.509 key ispreferentiaUy 35 daU kets from me outsid6 ^ c , aim tQ ^ froffl » 

« fu 8 3 * Sy ! tem , u * ^elP address are filtered out and discarded. Because the 

vermes that there is no revocation or access denied or other ^ 1D jj i ■ i 1 * *u • * i *. i 

r , , <■ *u * i .u * • i * .1. , secureIP address pool is known only to the internal network 

invalidation tor this key that is known to the gateway i/V r # i j • u u u L i * . In 

machine external device should be able to use that secureIP 

address, including the machine to which it is assigned. 
Once a public key is obtained, the process continues by 40 For outgoing ^ mQ% if the lraffi c goes t0 a normal outside 
obtaining or assignmg a securelP address to the machine address ( a ^s^mel? network address such as an IP 
^ n ^L*i edaUp ^^ address), it is passed on to the public network 105 
an X.509 key certificate the address stored in the certificate unmo dified, without any address translation. When an out- 
is used as a securelP address assigned to the entity holding going data packet ^ addressed l0 a scmap address lhe 
the key certificate. When the pubhc key mformation is a 45 address translation is performed as described above. In cases 
uDH key certificate database 307 will include a record of a where there is n0 ma m ^ the addfess device 
previously assigned securelP address corresponding to this 302> me packet is discarded 

certificate. If a securelP address has not been previously , n a particular implementation, to further large 

assigned, gateway machine 102 assigns and stores a availability, each mobile host is preconfigured with SKIP (or 

secureIP address in address translation device 302. Where 50 an equivalent security protocol), CDP running, and one 

each certificate entry in address translation device 302 st DH k aif generated during system coangurat ion. 

includes a timestamp this is updated. At this pomt, the To ^ ^ the SKIp te these mJLchlnGS just xvd 

gateway machme 102 knows the key for the machine, and a SKIp packels The gateway ^ fctch the uDH ^mato 

secureIP address. from lhem ^ and aclual i y start it immediately (unless 

At least three ways to handle the address translation 55 otherwise configured by the gateway administrator). If more 

entries. These optional methods serve to maintain the a persistent security association is desired, the gateway 

address translation table and clear out old, unused entries. administrator signs the mobile host's public key, thereby 

These methods include: binding the securelP address to the public key value in a 

1) If the total number of concurrent users is smaller than strong manner. The mobile host user is not involved, unless 
the available address space — then it is not necessary for 60 the gateway administrator wants to confirm an identity, 
address translation entries to time out. The gateway which can be added to the certificate. 

may hold address translation entries for all of the Machines on the outside (assuming they all have differing 

concurrent users, and just remember the latest used keying material) simply can not interfere with each other. If 

association of secureIP address (and key information) the dynamic IP address is relocated to another host using a 

with the incoming network address. 65 secure connection, the change can be detected due to dif- 

2) In a second case, the time when the last secure packet fering MKID's and thus address translation easily switched 
came in is remembered by, for example, storing a time over by updating the address pair entry in address translation 
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device 302 (e.g., new secure IP address and new keying 
material assigned to this network address). If a change from 
non-SKIP to SKIP machine occurs, the connection can 
easily upgrade by creating an address translation entry 
where none existed for the non-SKIP machine. 5 

If an address from which SKIP packets have been 
received begins to talk in the clear, the incoming packets are 
passed on with their outside address. Outgoing packets to 
this address will pass unhindered, and in the clear. If there 
are still SKIP packets on the way to the outside, they will be 10 
mapped to the same address, SKIPed and forwarded. This 
does not compromise security because the non-SKIP 
machine will just throw those packets away. 

Because address translation and encryption/decryption 
remain in control of the legitimate host, the legitimate host 15 
can immediately talk in cleartext to the internal network 
while an intruder trying to throw an outside host into 
cleartext mode will fail. The legitimate host will go on doing 
SKIP (or equivalent security operation), get address trans- 
lation and the translation will not expire. Even if address 20 
translation does expire it will simply be reestablished when 
the legitimate host begins sending secure packets later. 

In an optional embodiment, securelP addresses assigned 
to uDH key certificates can be expired some time after they 
were last used, allowing reuse of the pool. This expiration is 25 
in the order of days or weeks. This is a mater of convenience 
as it cleans up the database making it smaller by removing 
information about securelP addresses that are no longer in 
use. 

One potential attack involves an intruder trying to cause 30 
a denial of service failure in gateway 102. In such an attack, 
an intruder could have assembled a large number uDH 
certificates that are sent to the gateway 102. This would 
cause gateway 102 to assign securelP addresses from its 
pool to the uDH certificates and may exhaust the available 35 
pool of addresses. This attack does result in a partial denial 
of service to legitimate hosts attempting to establish a 
security relationship with the gateway using uDH certifi- 
cates that are not yet assigned to securelP addresses. 
However, existing connections that have assigned securelP 40 
addresses stay up, and newcomers having X.509 certificates 
can also continue to connect. Only hosts relying on uDH 
where no address assignment has taken place yet would fail 
to connect. This type of attack is detectable, and non-fatal. 

Although the invention has been described and illustrated 45 
with a certain degree of particularity, it is understood that the 
present disclosure has been made only by way of example, 
and that numerous changes in the combination and arrange- 
ment of parts can be resorted to by those skilled in the art 
without departing from the spirit and scope of the invention, 50 
as hereinafter claimed. 

I claim: 

1. A method for secure data communication with a mobile 
machine comprising the steps of: 
establishing a pool of secure addresses; 55 
receiving a data packet from the mobile machine, the data 

including a particular network address for the mobile 

machine; 

creating a data structure holding address translation asso- 6Q 
ciations wherein each association is between a particu- 
lar network address and a particular one of the secure 
addresses; 

determining if the received data packet is a secure data 
packet; 65 

when the received data packet is a secure packet, identi- 
fying an association between the received data packet's 
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network address and a secure address in the data 
structure; and 

translating the data packet's network address to the asso- 
ciated secure address before forwarding the data packet 
on to higher network protocol layers, 

wherein when the received data packet from the particular 
network address is not secure, passing it on without 
address translation to higher network protocol layers 
and terminating address translation for the particular 
network address after a preselected time interval. 

2. The method of claim 1 further comprising: 
receiving a subsequent data packet from the mobile 

machine, tbe subsequent data packet including the 
particular network address; 
determining if the subsequent data packet a secure packet; 
and 

when the subsequent data packet is a secure packet, 
resetting a timer that measures time during the prese- 
lected time interval. 

3. The method of claim 1 wherein the step of identifying 
an association between the received data packet's network 
address and a secure address in the data structure further 
comprises: 

examining the data structure to determine if an association 
for the particular network address is already stored in 
the data structure. 

4. A method for secure data communication with a mobile 
machine comprising the steps of: 

establishing a pool of secure addresses; 

receiving a data packet from the mobile machine, the data 

including a particular network address for the mobile 

machine; 

creating a data structure holding address translation asso- 
ciations wherein each association is between a particu- 
lar network address and a particular one of the secure 
addresses; 

determining if the received data packet is a secure data 
packet; 

when the received data packet is a secure packet, identi- 
fying an association between the received data packet's 
network address and a secure address in the data 
structure, determining a public key for the received data 
packet, determining whether the public key is already 
associated with one of the secure addresses and, if so, 
using the already assigned secure address to create an 
association in the data structure, and when the public 
key is not associated with one of the secure addresses 
assigning one of the secure addresses from the pool of 
secure addresses to create an association in the data 
structure; and 

translating the data packet's network address to the asso- 
ciated secure address before forwarding the data packet 
on to higher network protocol layers. 

5. The method of claim 4 wherein the step of determining 
a public key comprises requesting the at least one key from 
a local database. 

6. The method of claim 4 wherein the step of determining 
a public key comprises requesting the public key using 
certificate discover protocol (CDP). 

7. The method of claim 4 further comprising a step of 
verifying that the public key is not revoked and not invali- 
dated. 

8. The method of claim 4 wherein when the public key is 
an X.509 key certificate. 

9. A method for secure data communication with a mobile 
machine comprising the steps of: 
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establishing a pool of secure addresses; 

receiving a data packet from the mobile machine, the data 

including a particular network address for the mobile 

machine; 

creating a data structure holding address translation asso- 5 
ciations wherein each association is between a particu- 
lar network address and a particular one of the secure 
addresses; 

determining if the received data packet is a secure data 
packet; 

when the received data packet is a secure packet, identi- 
fying an association between the received data packet's 
network address and a secure address in the data 
structure; J5 

translating the data packet's network address to the asso- 
ciated secure address before forwarding the data packet 
on to higher network protocol layers; and 

discarding all received data packets that contain a par- 
ticular network address that is one of the pool of secure 20 
addresses. 

10. A system for secure data communications with a 
mobile machine comprising: 

a gateway machine having a secure port for coupling to a 
secure network and an insecure port for coupling to an 25 
insecure network; 

a data structure within the gateway machine holding 
address translation associations wherein each associa- 
tion is between a particular network address and a 
particular secure addresses; 30 

an address translation device within the gateway machine 
coupled to the data structure and operative to translate 
between a secure address and its associated network 
address and between a network address and its associ- 
ated secure address; 35 

an analysis device in the gateway machine for analyzing 
data packets received from the insecure network to 
determine whether the received data packet is secure 
and operative to enable the address translation device 
when the receive data packet is secure; and 

means for measuring elapsed time since a packet is 
received in the clear, wherein the analysis device is 
coupled to the address translation device to invalidate 
a selected address translation association in the data 
structure at a preselected time after a packet is received 
in the clear from the network address associated with 
the address translation association. 

11. The system of claim 10 wherein a timer that measures 
time during the preselected time interval is reset upon $Q 
receiving a secure packet. 

12. A system for secure data communications with a 
mobile machine comprising: 

a gateway machine having a secure port for coupling to a 
secure network and an insecure port for coupling to an 55 
insecure network; 

a data structure within the gateway machine holding 
address translation associations wherein each associa- 
tion is between a particular network address and a 
particular secure addresses; 60 

an address translation device within the gateway machine 
coupled to the data structure and operative to translate 
between a secure address and its associated network 
address and between a network address and its associ- 
ated secure address; and 65 

an analysis device in the gateway machine for analyzing 
data packets received from the insecure network to 
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determine whether the received data packet is secure 
and operative to enable the address translation device 
when the receive data packet is secure, 
wherein each address translation association in the data 
structure corresponds to a network address from which 
no data packet has been sent in the clear since receiving 
a secure data packet. 

13. A system for secure data communications with a 
mobile machine comprising: 

a gateway machine having a secure port for coupling to a 
secure network and an insecure port for coupling to an 
insecure network; 

a data structure within the gateway machine holding 
address translation associations wherein each associa- 
tion is between a particular network address and a 
particular secure addresses; 

an address translation device within the gateway machine 
coupled to the data structure and operative to translate 
between a secure address and its associated network 
address and between a network address and its associ- 
ated secure address; and 

an analysis device in the gateway machine for analyzing 
data packets received from the insecure network to 
determine whether the received data packet is secure 
and operative to enable the address translation device 
when the receive data packet is secure, 

wherein address translation associations in the data struc- 
ture are dynamically updated in response to receiving a 
data packet from a network address that has an entry in 
the data structure but includes new key information. 

14. A computer implemented system for secure data 
communication with a mobile machine operable on a com- 
puter system having a processor and data storage devices 
coupled to the processor, the system comprising: 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
define a pool of secure addresses; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
receive a data packet from the mobile machine, the data 
including a particular network address for the mobile 
machine; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
create a data structure holding address translation asso- 
ciations wherein each association is between a particu- 
lar network address and a particular one of the secure 
addresses; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
determine if the received data packet is a secure data 
packet; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
identify an association between the received data pack- 
et's network address and a secure address in the data 
structure when the received data packet is a secure 
packet; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
translate the data packet's network address to the 
associated secure address before forwarding the data 
packet on to higher network protocol layers; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
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respond to receiving a data packet from the particular 
network address that is not secure by starting a timer 
measuring time elapsed since the insecure data packet 
was received; and 
computer implemented code devices executing on the 5 
processor and configured to cause the computer to 
terminate address translation for the particular network 
address after a preselected time interval as measured by 
the timer. 

15. The system of claim 14 further comprising: io 
computer implemented code devices executing on the 

processor and configured to cause the computer to pass 
the data packet on without address translation to higher 
network protocol layers when the received data packet 
from the particular network address is not secure. 15 

16. The system of claim 15 further comprising: 
computer implemented code devices executing on the 

processor and configured to cause the computer to 
receive a subsequent data packet from the mobile 
machine, the subsequent data packet including the 2 o 
particular network address; 
computer implemented code devices executing on the 
processor and configured to cause the computer to 
determine if the subsequent data packet a secure 



packet; and 



25 



computer implemented code devices executing on the 
processor and configured to cause the computer to reset 
a timer when the subsequent data packet is a secure 
packet. 

17. The system of claim 14 wherein the computer imple- 
mented code devices that identify whether an association 
between the received data packet's network address and a 
secure address in the data structure further comprise: 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
examine the data structure to determine if an associa- 
tion for the particular network address is already stored 
in the data structure, 

18. The system of claim 14 wherein the computer imple- 
mented code devices that identify an association between the 
received data packet's network address and a secure address 40 
in the data structure further comprise: 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
determine a public key for the received data packet; and 

computer implemented code devices executing on the 45 
processor and configured to cause the computer to 
determine whether the public key is already associated 
with one of the secure addresses and, if so, use the 
already assigned secure address to create an association 
in the data structure. 50 

19. The system of claim 14 wherein the computer imple- 
mented code devices that identify an association between the 
received data packet's network address and a secure address 
in the data structure further comprise: 

computer implemented code devices executing on the 55 
processor and configured to cause the computer to 
verify that the public key is not revoked and not 
invalidated. 

20. A computer implemented system for secure data 
communication with a mobile machine operable on a com- 60 
puter system having a processor and data storage devices 
coupled to the processor, the system comprising: 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
define a pool of secure addresses; 65 

computer implemented code devices executing on the 
processor and configured to cause the computer to 



receive a data packet from the mobile machine, the data 
including a particular network address for the mobile 
machine; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
create a data structure holding address translation asso- 
ciations wherein each association is between a particu- 
lar network address and a particular one of the secure 
addresses; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
determine if the received data packet is a secure data 
packet; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
identify an association between the received data pack- 
et's network address and a secure address in the data 
structure when the received data packet is a secure 
packet; 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
translate the data packet's network address to the 
associated secure address before forwarding the data 
packet on to higher network protocol layers; and 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
assign one of the secure addresses from the pool of 
secure addresses to create an association in the data 
structure when the public key is not associated with one 
of the secure addresses. 

21. The system of claim 20 further comprising: 
computer implemented code devices executing on the 

processor and configured to cause the computer to pass 
the data packet on without address translation to higher 
network protocol layers when the received data packet 
from the particular network address is not secure. 

22. The system of claim 20 wherein the computer imple- 
mented code devices that identify whether an association 
between the received data packet's network address and a 
secure address in the data structure further comprise: 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
examine the data structure to determine if an associa- 
tion for the particular network address is already stored 
in the data structure. 

23. The system of claim 20 wherein the computer imple- 
mented code devices that identify an association between the 
received data packet's network address and a secure address 
in the data structure further comprise: 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
determine a public key for the received data packet; and 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
determine whether the public key is already associated 
with one of the secure addresses and, if so, use the 
already assigned secure address to create an association 
in the data structure. 

24. The system of claim 20 wherein the computer imple- 
mented code devices that identify an association between the 
received data packet's network address and a secure address 
in the data structure further comprise: 

computer implemented code devices executing on the 
processor and configured to cause the computer to 
verify that the public key is not revoked and not 
invalidated. 
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